July 29, 2008

Cisco: Remote CLI access without Login/Password

When I configure a bunch of Cisco gears in lab environment, just for fun or testing some new feature, I like the ability to get CLI access with telnet without having to authenticate myself with any username nor password. You can achieve this level of “insecurity” which is totally great for a lab only use simply by changing the VTY’s configuration.

In normal situations you configure VTY to allow remote CLI access to your device like:

Router>
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line vty 0 4
Router(config-line)#password Cisco
Router(config-line)#login

and then you login to your device (10.0.0.1) with telnet like:

> telnet 10.0.0.1
Trying 10.0.0.1 ... Open

User Access Verification

Password:
Router>
Router>enable
% No password set

(Don’t forget to set up enable password, otherwise you will not reach the privileged exec mode.)

So, to overcome the login screen, and to gain access without authentication it’s enough to turn off the “login”, simple as:

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line vty 0 4
Router(config-line)#no login

And then the telnet looks like this:

> telnet 10.0.0.1
Trying 10.0.0.1 ... Open

Router>

Well, if you want to make your work even faster, configure a VTY line, so that you will be put directly into a privileged exec mode by setting a VTY’s privilege level to level 15. And don’t forget to turn on one of the greatest CLI feature – the “logging synchronous”. The final configuration then looks like:

Router#sh run | section line vty
line vty 0 4
privilege level 15
logging synchronous
no login

and a telnet login then looks like:

> telnet 10.0.0.1
Trying 10.0.0.1 ... Open

Router#

 

Update (30.8.2008):

I forgot to add the “exec-timeout 0” command. By default, after 15 minutes of inactivity, the device will automatically disconnect your telnet session. With the “exec-timeout” command you can change the default value. If you set it to 0, the device will never try to disconnect your telnet session. It’s very useful on labs. So the final configuration would be:

Router#sh run | section line vty
line vty 0 4
privilege level 15
exec-timeout
logging synchronous

no login